Configuring Active Directory (AD DS) in Windows Server 2012

Windows Server 2012 introduces a plethora of new features with a key emphasis on Cloud integration being the buzz word in the industry over the last 24 months.  Windows continues to grow and mature as an operating system with the latest iteration being more secure, reliable and robust and more importantly making it easily interoperable with other systems.

This post will focus on Installing a Windows 2012 Server and then promoting it as the first domain controller in a new Forest.  Even though the logical steps haven’t really changed dramatically since the introduction of Windows 2008, the interface has! especially with the new metro look.  So let’s begin our journey with Windows Server 2012 as this will be the first of many articles on configuring different components that Windows Server 2012 has to offer.

Installing Windows Server 2012
The first step is to boot up from the CD or ISO image and select your language settings.

Select your Language and input options and then click on Next.

Click Install Now

Select the operating system you want to install.  I have selected Windows Server 2012 Release Candidate Server with a GUI.  The other option is server core which was first introduced in Windows 2008 and is a minimal install with no GUI but provides remote management through Windows PowerShell and other tools.

Click Next

Accept the License terms

Click Next

We are performing a new installation of Windows Server, so click on Custom.

Partition your drives and then click Next.

The Installation of Windows then proceeds.

 The installation will eventually re-start your Windows Server where it will go through the final stages of preparing the environment for first time use.

 You will eventually be prompted to enter a password for the built-in Administrator account.

 Click Finish

You will now be presented with the new Windows Login Screen, which is a fair change to what we have been accustomed to with previous releases of Windows Server.

 Hit Ctrl – ALT – Delete to sign in, and enter your password.

You will be presented with the new Server Manager Screen which really simplifies the administration and configuration of your new server.  Our main goal for this article is to configure Active Directory and its related services such as DNS.

 First thing I want to do is change the computer name.  Windows goes ahead and provides a default unique name in the form of WIN-<random characters>

To do so, from the Server Manager > Dashboard screen, click on Local Server and then click on the computer name hyperlink.

This will take you to the all familiar System Properties

 Click Change, enter a more desirable Computer Name and then click OK.

You will then be prompted to restart your computer to apply the changes.  Click Ok and then Click on restart now.

After your computer has restarted, we will be presented with the Server Manager Screen.  Now we are ready to configure this server as an Active Directory Controller.

Adding the Active Directory Domain Services Role

From the Dashboard click on “Add roles and features”.  You will be presented with the “Before you begin screen.  Click Next.  In the “Installation Type” screen click on “Role-base or feature-based installation”.

 Click Next

You will be presented with the following screen asking you to select a destination server.  This is a new feature of Windows 2012 where you have the ability to deploy roles and features to remote servers and even offline virtual hard disks.

In our case, we are selecting the current server from the server pool.

 Click Next

We are now back in familiar territory (if you have worked with Windows 2008 Server) and we will select the “Active Directory Domain Services” and DNS Server if it hasn’t already been provisioned.

 You will then be prompted to add features that are required for Active Directory Domain Services.

 Click on Add Features

Click Next

If you want to add additional features, you can do so from the next screen, otherwise click Next

 You will now be presented with the Active Directory Domain Services (AD DS) screen outlining some information about AD DS and its requirements.  You will notice that DNS is a MUST and has always been the case.

 Click next

You now provided with a summary of installation selections

 The installation will now begin

 Upon completion you will be presented with an installation succeeded message.

 Click Close.

Back in Server Manager, you will notice that AD DS has been added to the left navigation tree.  Click on it and then click on More on the right navigation pane where it states that Configuration is required for Active Directory Domain Services.

 You will now be presented with the All Servers Task Details, in which you will click on Promote this server to a domain controller under Action.

The Deployment Configuration screen appears and we will select “Add a new forest” as this is the first domain controller.

 Enter your Root domain name and then click Next.

The following screen will then appear in which you will enter and select your Domain Controller Options.

 You will then get the below warning in which you can ignore for now.

 Click Next

The NetBIOS domain name will then be inputted automatically.  In the event of a conflict, it will suggest an alternative by appending the original name with a 0.

 Click Next

Confirm or change the locations of your database folder, log folder and SYSVOL folder.

Click Next

Review your selections and then Click Next.

If all of the prerequisites checks have passed successfully, you will be able to click on Install to proceed.

 Click Install

The installation will now proceed and you will see the progress being displayed.

 The computer will most likely restart on its own to complete the installation so don’t be alarmed if it does.  You will receive a brief warning advising so.

Upon restart, you should be able to login using your domain credentials for the user administrator.

So let’s add our first user!  We can do so via the new Active Directory Administrative Center or via the well known Active Directory Users and Computers.  For something different, lets try the former.

Once Server Manager has launched, click on Tools > Active Directory Administrative Center

You will be greeted with the below Welcome screen.

 Click on your domain on the left navigation pane, in my instance it is corp (local).

 Let’s begin by creating our first Organizational Unit that will house our corporate users (I am not a fan of using the default Users).  On the right navigation pane under Taks > <domain name> click on New and then select “Organizational Unit”.

Enter the mandatory details.

 Click OK

This will immediately create the Organizational Unit in the designated location.  Double click on your newly created Organizational Unit and on the left navigation pane, select New User.  The below screen appears in which you will fill in the necessary details.

 Make sure you scroll down to the bottom and fill in all the necessary sections such as Groups, Profile Settings and Organization settings.

Once completed, Click OK.

Your newly created user will now be listed in the middle navigation pane.

 As you can see it is relatively straight forward configuring your first domain controller in a new forest using Windows Server 2012, in particular if you have had experience with Windows Server 2008.

CCIE notes – Security part 2

Layer 3 Security

Recommendation
1. Enable secure Telnet access to a router and use SSH
2. Enable SNMP security, adding SNMPv3 support
3. Turn off unnecessary services on the router platform
4. Turn on logging to provide on audit trail
5. Enable protocol authentication
6. Enable CEF

General Layer3 Security Considerations

1. Smurf Attacks

– a large number of ICMP Echo Requires with same typical IP address in the packet
– the destination address is a subnet broadcast address, also known as a direct broadcast address

Solutions

1. “no ip directed-broadcast” – by default in IOS version 12.0
– prevents the router from forwarding the broadcast onto the VLAN
2. Unicast Reverse Path Forwarding (uRPF)
– tells cisco IOS to examine the source IP address of incoming packets on that itnerface (CEF must be enabled)
Two Types:
a. Strict RPF – the router checks if the matching route uses an outgoing interface, that is the same interface on which the packet was received, in not => discarded
b. Loose RPF – the router checks for an y route that can be used to reach the source IP address

2. TCP Syn flood, the Established Bit and TCP Intercept

TCP Syn flood – creates connections
– “established” ACL can be used, when you only want to open from te inside towards outside
– TCP “intercept” can be used when you want the connections to come from “putside” towards “inside”

TCP “intercept” works in 2 ways:
1. Watch mode – keeps state information about TCP connections that match a defined ACL
– if a TCP connection does not complete the three-way handshake within a particular time period, it send a TCP reset to the servers
– it also count the number of new connections over time, and if a large number (default 1000), the router temporarily filters new TCP requires to prevent a SYN attack
2. Intercept mode – router applies to TCP connection requirements instead of forwarding them to the actual server

Classic Cisco IOS firewall

CBAC – Context-Based Access Control
– you must configure the following:
1. Protocol to inspect
2. Interface on which to perform the inspection
3. Direction of the traffic to inspect, per interface

TCP vs UDP with CBAC
– TCP has clear-cut connections, so CBAC can handle it easy
– UDP more difficult  to handle

Common protocol that CBAC can Inspect:
1. Any TCP
2. Any UDP sessions
3. FTP
4. SMTP
5. TFTP
6. H.323
7. Java
8. …

CBAC Disadvantages

– CBAC comes after ACL filters
– CBAC cannot protect against attacks that are coming from inside
– CBAC works only on protocol you set to “inspect”
– to inspect other types of traffic (not TCP or UDP), you must configure a named inspection tool
– CBAC does not inspect traffic generated from itself
– CBAC has restrictions on handling encryption traffic

Cisco IOS Zone-Based Firewalls

– traffic can travel between the interfaces of the same zone, but not between zones
– zones are configured using Class-Based Policy (like MQC)
– can inspect: HTTP, HTTPS, SMTP, ESMTP, POP3, IMAP, Yahoo IM, MSN, RPC and P-2-P application

Steps to configure ZBF
1. Create zones
2. Decide how traffic should travel between the zones and create zone-pairs on the router
3. Create class-maps to identify inter-zone traffic that must be inspected by the firewall
4. Assign policies to the traffic by creating policy maps and associated class-maps with them
5. Assign policy maps to the appropriate zone-pair
6. Assign interfaces to zone. An interface may be assigned to only one security zone

Cisco IOS IPS

– it provides Deep Packet Inspection (DPI) of traffic transiting the router
– the signature are on flash
– when IPS is configurate, it acts like an inline IPS

Steps
1. Remove all signature category and then import the basic IOS IPS category
2. Create a directory in flash to store the IPS configuration
3. Create an IOS IPS rule
4. Specify the location of the signature
5. Apply the rule to an interface, inbound and/or outbound
6. Once rule applied, the router loads the signature
7. Verify “IPS using: “#show ip ips config”

Control-Plane Policing (CoPP)

– affects the traffic coming to the router
– addresses this problem by leveraging the MQC to rate-limit or drop control-plane traffic
– used so you do not get locked out

Implementing CoPP:
1. Enable QoS globally; else CoPP is done in software and not HW
2. Create the ACL to classify traffic
3. Create class-map and match the appropriate ACL or either IP Precedence or DSCP values
4. Create a Policy Map and associate the class-maps with it
5. Assign allowed bandwidth
6. Assign the policy map to the router or switch control plane as a service policy

Dynamic Multipoint VPN (DM-VPN)

– uses IPSEC, GRE, Next Hop Resolvation Protocol (NHRP)
– supports segmentation across VPNs and is VRF-aware
– the HUB router is configured for a single multipoint GRE (mGRE) and a set of profiles applied to the spoke routers

DMVPN vs Hub-Spoke VPN – DMVPN advantages:
1. Simpler Hub configuration. A DMVPN hub router requires only one multipoint GRE tunnel interface, one IPSEC profile and no crypto ACL
2. Zero-touch at the hub router for prvisioning spoke routers. The hub router does not require configuration when new spoke router are brought online
3. Automatically initiated IPSec encrypt, fac by NHRP
4. Dynamic addressing support for spoke routers. Instead of static configuration, the hub learns spoke router addresses when they requires to the network
5. Dynamic created spoke-to-spoke tunnels. Spoke routers learn about each other using NHRP, so they can form tunnels between each other automatically instead of require spoke-to-spoke traffic to be encrypted
6. VRF integration for MPLS environment
A dynamic routing protocol (EIGRP, OSPF, BGP, RIP or even ODR) is required between the hub and the spokes.

CCIE notes – Security part 1

Router & Switch Device Security

– to encrypt passwords with the following command #service password-encryption
- “#no service password-encryption” – does not automatically decrypt the password. It waits until a new password is added.
– #enable secret – encrypts the password as md5
– #enable password – type 7 password
– #username password <pass> – encrypts the password as MD5

AAA – Authentication, Authorization and Accounting

Radius vs Tacacs

	RADIUS	TACACS
Scope of Encryption: Packet Payload or just Password	Password Only	Entire Payload
Layer 4 Protocol	UDP	TCP
Well Known ports	1812/1645	49/49
Standard or Cisco Propriety	Standard	Cisco

AAA authentication Methods
Steps
1. Enable AAA with “aaa new-model”
2. RADIUS or TACACS, define IP address or Key
3. Define the default set of authentication methods used for all CLI access by: “#aaa authentication login default”
4. Define the default set of authentication methods for enable by using “aaa authentication enable default”
– there is no limit to the number of RADIUS/TACACS servers. The logic of the IOS is to get the 1st one, thennext etc
– you can create group and specify the order of the logging servers

PPP Security

– PPP can use PAP or CHAP
– defaul tauthentication is with #username password Steps
1. Enable AAA “aaa new-model”
2. Configure RADIUS/TACACS
3. Define the set of authentication using #aaa authentication ppp default
4. Create groups with #aaa authentication group ..

Layer2 Security

Recommandations
1. Disable unneeded dynamic protocols like CDP and DTP
2. Disable trunking by configuring these ports as access ports
3. Enable BPDU Guard and Root Guard to prevent STP attacks
4. Use DAI or private VLANs to prevent frame sniffing
5. Enable port security
6. Use 802.1x user authentication
7. Use DHCP snooping and IP Source Guard to prevent DHCP DOS and man-in-the-middle attacks
8. Use private VLANs to protect from sniffing
9. Configurat VTP authentication
10. Disable unused switch ports and place them in an unused VLAN (ex. VLAN 999)
11. Avoid using VLAN1
12. For trunks, do not use native VLAN

Port Security

– requirs that a port is staically set as either access or trunking
#switchport port-security [aging] [violation] { protect|restrict|shutdown}
protect – tells the switch to perform port-security
restrict – tells it to send SNMP traps and issue log message regarding the violation
shutdown – puts the port in err-disable state

Dynamic ARP Inspection (DAI)

-works by sending a GARP
– DAI is used to defeat ARP attacks
DAI determines if an ARP message is inappropiate by using the following logic:
1. If an ARP reply lists a source ARP address that was not DHCP assigned to a device off that port, DAI filters the ARP reply
2. Uses a list of static defined IP/MAC Address
3. For a received ARP reply, DAI compares the source MAC in the Ethenrnet header to the SMAC in the ARP message. If it is not equaled => it is filtered
4. DAI compares the destination Ethernet MAC and the targe MAC listed in the ARP body
5. DAI checks for unexpected IP address like “0.0.0.0” pr “255.255.255.255”
DHCP snooping must be enabled for DAI to work

Dynamic ARP inspection Commands

Command	Prupose
ip arp inspection vlan <vlan-range>	Global command to enable DAI on the switch for specific VLANs
ip arp inspection trust	Interface sub-command that enables or disables DAI on the interface. Default is enabled
ip arp inspect filter <arp-cal-name> vlan <vlan-range> static	Global command to refer to an ARP ACL that defines static IP/MAC address to be checked by DAI
ip arp inspection vlidate {[src-mac][dst-mac][ip]}	Enables additional optional checking of ARP messages
* ip arp inspect limit { rate pps [burst interval in seconds|none]}	Limits the ARP message rate to prevent DOS attacks carried out by sending a large number of ARPs

* by default DAI automatically sets a limit of 15 ARP messages per port/per second to mitigate that risk; the settings can be changed using the “ip arp inspection limit”

DHCP Snooping

– builds a table of IP addresses and port mapping , called DHCP snooping binding table
– the table is used by DAI and IP Source Guard
-used to prevent DHCP attacks
– DHCP Attack, man-in-the-middle attack, by using bogus DHCP server, giving out the gateway of the attacker.
To not deplete the IP Pool, the DHCP uses the following logic for filtering of packets
1. It filters messages sent exclusively by DHCP servers
2. The switch checks DHCP release and decline messages againsts the DHCP snooping binding table; if the IP

address in those messages is not listed with the port in the DHCP snooping binding table, the messages are

filtered
3. Optionally, it compares a DHCP request client HW value with the source address inside the ETH frame

Commands	Features
ip dhcp snooping vlan <vlan range>	Global command to enable dhcp snooping
ip dhcp trust	Enables trust
ip dhcp snooping binding <mac-addr> vlan <id> <ip-address> interface <id> expiry <seconds>	Global command to add static entries to the DHCP snooping binding database
ip dhcp snooping limit rate <rate>	Sets the maximum number of DHCP messages per second to mitigate DoS attacks

IP source Guard

-if enabled with dhcp snooping, IP Source Guard checks the source IP address of received packet against the DHCP snooping binding database
– is enabled on the interfaces

802.1x Authentication using EAP

– switches use 802.1x to atuenticaticate traffic, before it is allowed to joing the network
– EAP can be used to authenticate the PC, or can be used as a OTP (One Time Paswword)
– EAP messages are incapsulated into the frames, they are called EAP over LAN (EAPoL)
– RADIUS expects the EAP message, as a data structure called RADIUS attribute, with this attributs sitting inside a normal RADIUS message

802.1x roles

1. Supplicant – the PC that asends the message
2. Authentication – the switch that translates froam EAP to RADIUS
3. Authentication Server – stores username/password and verifies that the correct values were submitted before authenticating the user

Storm Control

– supports rate-limiting traffic at LAyer 2 using the #Strom-control commands
– can be configurated for: unicast, multicast, broadcast traffic
– can be configured per port
– it support only physical interfaces and not: suinterface, etherchannels etc

CCIE notes – MPLS

MPLS IP Forwarding: Data Plane

– MPLS routers inject (push) or remove (pop) or forwards packets based on labels
– MPLS relies on the CEF while expanding the logic and data structures as well



LSR (Label Switch Router)

– any router that has awareness of MPLS Labels
FIB – used for incoming unlabled packets
LFIB – used for incoming labeled packets

MPLS header and Label
– header of 4 bytes, located before the IP header

MPLS header

EXP – experiemental (used for QoS)

S – bottom of the stack, if “1” it means the label immediatelly preceeding the IP header

TTL – time to live

MPLS TTL filed and MPLS TTL Propagation

-MPLS needs the TTL filed so it can completely ignore the encapsulation of the IP header TTL

– MPLS it only decrements its own TTL

By default this is how MPLS works:

Ingress E-LSR – after it decrements the IP TTL field, it copies the IP TTL field into the MPLS TTL filed

LSR – when it swaps the label it decrements the MPLS TTL

Egress E-LSR – decrements MPLS TTL, and copies the value into the IP TTL

Cisco can be configured to decrement MPLS propagation – when it is disabled, the MPLS TTL is 255 => the entire MPLS network appears as a single HOP, when you issue a traceroute

 

 

MPLS Forwarding – Control Plane

MPLS VPNs use 2 control planes: LDP and BGP (MP-BGP)

MPLS LDP Basics

LDP – Label Distribution Protocol

– used to advertise labels for each prefix in the IP routing table, it says “if you want to send packets to this IP prefix, send them to me with the label listed in the LDP update”

– LDP is striggered by a new IP route in the unicast routing table

1. Pe learns a new unicast IP route

2. PE allocates a new local label ( that doesn’t exist)

3. PE uses LDP to advertise to neigh the mapping between IP prefix and label to all LDP neigh

LSP – Label Switches Path

– unidirectional

MPLS LIB feeding FIB and LFIB

LIB – Label Information Based

LSR – Label Switch routers

LSR – stores labels and related information inside LIB

LIB – stores all labels and associated information, that could be used to forward a packet

– each must pick the best label and outgoing interface to actually use and then populate that information into the FIB and LFIB = > FIB and LFIB have only the best labels

LDP – use HELLO feature to discover LDP neighbors

– multicasts LSR are sent to 224.0.0.2 ( UDP port 646 , TDP uses UDP port 711_

– the HELLO lists the LSR’s LDP ID (2ID) which consists of a 32-bit dotted-decimal number and a 2byte label space number

– can list a “transparent address” in HELLO message, which is the IP address that LSR wants to use for any LDP TCP connection

– after becoming neighbors, they use the unicast address listed in the HELLOs. The address must be present in the IP routint table

 

LDP reference

LDP Feature LDP Implementation

Transport protocols UDP (Hellos) , TCP (updates)

Port Number 646 (LDP), 711 (TDP)

Hello dest address 224.0.0.2

Who initates TCP connection highest LDP ID

TCP connection uses this address Transparent IP address (if configurated) or LDP ID if no transparent address is configured

LDP ID determines by these rules, in order of precedance a. Configuration

b. Highest IP address of an up/up loopback interface, when LDP comes up

c. Highest IP address of an up/up non -loopback when LDP comes up

 

 

MPLS VPN

ATM and Frame Relay are replaced by MPLS VPNs

– use MPLS unicast IP forwarding with other ffeature

MPLS VPN – uses MP-BGP to overcome name of the challenges when connecting an IP network to a large nr. of customer IP internetworks

MPLS VPN VRFs – are used so you can have multiple routing tables

Router Roles: CE, PE, P

-both PE and P routers run LDP and an IGP to support unicast IP routing

– the IGP advertises routes only for subnets inside the MPLS networking, with no customer routes included => P and PE routes can together lable switch packets from the ingress PE to egress PE

– to keep track of all the routes from clients (that can override), the PE stores the routes in separate, per-customer routing tables, called VRFs

Then PE use IBGP to exchange the customer routes with other PEs – it never advertises the routes to other P routers

– PE places 2 lables on the packet:

1. An router MPLS header (S-bit = 0 ), with a label value that causes the packet to be label switches to the egress PE 0 used for the MPLS (to be forwarded through the MPLS network)

2. An INNER MPLS header (S-bit=1), with a label that identifies the egress VRF on which to base forwarding decision – used for the VPN (label for VPNs)

MPLS VPN Control Plane

1. VRFs

2. RD (Route Distinguishers)

3. RT (Route Targets)

1. VRFs

– to support multiple customers, MPLS includes the concept of virtual router

– MPLS routers need a minimal of one VRF for each customer attached to that particular router

Each VRF has

a. An IP routing table (RIB)

b. A CEF file, that is populated based on the RIB

c. A separate instance or process of the routing protocol used to exchange routes with the CEs, that need to be supported by the VRFs

MPLS deals with the overlapping prefix problem by adding another number in frount of the original BGP NLRI (prefix)

 

2. RDs

– allows GP to advertise and distinguish between duplicate IPv4 prefixes

– concept: advertises each prefix as a traditional IPv4 prefix but adds another number (the RD) that uniquely identifies the route

– the new prefix format, called VPNv4, has the following two parts

a. A 64-bit RD

b. A 32-bit IPv4 prefix

-every VRF must be configured with an RD

RD is made of 8 bytes and has 3 formats:

2-byte integer:4-byte-integer

4-byte-integer:2-byte-integer

4-byte-dotted-decimal:2-byte-integer

– in all 3 formats, the 1st value (before the colon) should be either an ASN or an IPv4 address

 

3. Route Targets (RT)

– are advertised in BGP updates, as BGP extended Community Path Attributes (PAs)

– BGP extended connections are 8 bytes in lenghts

RT values follow the same basic format as the values of an RD; for a particular prefix, only one RD is defined, but i can have one or more RTs

– MPLS use RT to determine into which VRFs a PE places iBGP learned routes

– uses “export” and “import” commands

“export” -redistribute out of the VRF into BGP

“import” -redistribute into the VRF from BGP

Overlapping VPNs

– can support overlapping VPNs by the virtue of the RT concept

– the RT concept allows an MPLS network to leak routes from multiple VPNs into a particular VRF

Configuration of the MPLS. Steps:

1. Create each VRF, RD and RT, plus association to the customer

2. Configure the IGP between PE and CE

3. Configure mutual redistribuition between IGP and BGP

4. Configure MP-BGP between PEs

Other MPLS Applications

1. FEC (Forwarding Equivalence Class)

– a set of packets that receives the same forwarding treatment by a single LSR

2. VRF-Lite – known as Multi-VRF CE, provides multiple instance of IP routing tables in a single router

VRF-Lite without MPLS

– allows two separate IP internetworks into different domains or grouping without req separate routers and without requiring separate physical connections